Glance service APIs are default to 'service_roles: service'
- https://github.com/openstack/glance/blob/6c33a667a9f5ddce07b6131f4a5cb7460a4bdf17/glance/policies/base.py#L116
The issue here is the service token, which is sent from the
service for the user token expiry case but glance uses that
service token (keystonemiddleware sets the service token roles
in Requestcontext in 'service_roles' field) for RBAC, which
is not correct.
The OpenStack services communicate with each other by
passing the user token and service token wrapped in
keystoneauth's ServiceTokenAuthWrapper. The only purpose
of passing the service token is for long-running
operations and in case the user token gets expired.
For RBAC, we need to check if a user token has the 'service'
role or not. Service needs to load the configured user auth
plugin (where the user should have the 'service' role) from
keystoneauth and pass that to the other services (for example,
cinder change depends-on) and glance will use that user role
to verify the policy permission. To fix that, we need to make
the service APIs default to ``role:service`` and not
`service_role`:`service`.
This commit does one more change. Cinder does not have the
way to configure the glance service user, we are adding the
new config in this release. For backward compatibility,
we need to allow admin access in service policy rule. In
future release (after one SLURP release), we cna remove
the admin access.
Closes-Bug: #2121622
Co-Authored-By: : Sean Mooney <work@seanmooney.info>
Change-Id: I50909e6bdb3227ca99b7eba642546da791f9552a
Signed-off-by: Sean Mooney <work@seanmooney.info>
Signed-off-by: Ghanshyam Maan <gmaan@ghanshyammann.com>
Ghanshyam Maan
301d8f580f